Hackers claim that they have broken data about 1 billion Chinese inhabitants from the police

Hackers say they have stolen the personal data of 1 billion Chinese citizens from a Shanghai police database and offered them for sale, a leak that, if confirmed, would be one of the largest such exposures in history.

In a post last week on an underground hacker forum, an anonymous poster or group announced the availability of the data and released a sample, which allegedly contained 750,000 records. The price estimate for the entire database of 23 terabytes was 10 bitcoin, or around 200,000 dollars. The post has since been blocked by the site.

The data included names, national identification and telephone numbers, medical records, details from police reports and other information. Although the authenticity of the entire database was not verified, it appears that The Post’s review of some ID numbers came with information found on a government website.

The alleged hackers said there were billions of case reports – from thefts to fights to domestic violence, dating from the late 1990s to 2019 – and the records of 1 billion Chinese citizens. If authenticated, the database will cover more than 70 percent of China’s 1.4 billion people. The personal information and reported incidents were contained in separate files.

Despite the scale, the government blocked victims from learning about the leak. On Weibo, a widely used Twitter-like platform in China, a keyword search for “data leak” or “Shanghai police database” did not yield any results related to the breach. An affected person confirmed in an interview with The Post details about the mail related to them, but had not known about the leak.

Analysis: Here are four big questions about the massive police leak in Shanghai

The breach came after China’s law on personal data protection came into force last year, which imposed strict security measures on companies and public entities that handle personal information. The law was passed after Chinese regulators ordered more than 40 companies to change their operations for breaches of data transmission rules, Reuters reported.

Kendra Schaefer, Head of Technology Policy Research at the China-Focused Research Team Trivium China, said in a Twitter post Monday that the incident was the first major public breach by a state body under the new law. “So it’s unclear who is holding whom responsible,” she said. The Ministry of Public Security (MSP) will typically oversee the investigation of cybercrime.

“The registers allegedly also contain details about case files for minors,” Schaefer said. “So that would be a violation of the Minority Act.” She raised the possibility that the data contained information about celebrities or officials.

In the released sample dataset, certain information was associated with individuals listed under “seven categories of key individuals”, a reference to individuals monitored by the MSP for suspected criminal activity.

The Ministry of Foreign Affairs, the Shanghai Government and the Shanghai Police did not respond to requests for comment.

However, it is also possible that the files were online before the law came into force – it only received public attention after the alleged hacker posted it online. Cybersecurity researcher Vinny Troia told CNN that he was made aware of the database in January on a public website, which opened in April 2021, which means that anyone could access the database since then.

There is also speculation from government employees who accidentally included the credentials needed to access the database in a blog post on the Chinese Software Developer Network, a forum for developers to share code. Changpeng Zhao, CEO of the cryptocurrency exchange Binance, referred to the theory in a chirping on Monday. He said the company “had already stepped up verifications” for users who were potentially affected.

The nameless poster claimed that the database hosted AliCloud, a subsidiary of the Chinese e-commerce giant Alibaba Group. Cloud providers affiliated with major technology companies, such as AliCloud, typically built the digital infrastructure for government agencies.

Alibaba Group did not respond to a request for comment.

But Shawn Chang, CEO of security solution provider HardenedVault, found the theory unconvincing. “Shanghai is a city [with] 250 million inhabitants. AliCloud is unlikely [to use] one key for the entire police system, he said. He added that the breach could be elsewhere, such as with centralized key management services failing to go through the authentication process.

Web security consultant Troy Hunt said the anonymity of the person offering the sale, as well as the size of the database, raised questions about its accuracy. The call for a large payment also increases the possibility that the claim is exaggerated or falsified, he added.

But the data was also strong “because it’s a very unique class of information,” Hunt said. Unlike self-reported names and phone numbers while filling out a form online – which was seen in other data breaches – there were police reports that “only really wanted to be in one place.”

It is no secret that government entities in China have poorly managed computer systems. “The problem with the Chinese government is that they collect all citizens’ data on public service platforms, which had serious consequences when the data was leaked,” Chang said. “Everywhere you go, you have to submit your information. But it is not a systematic way to manage this data. Private companies are also bad at managing data, but are better than the authorities.”

Earlier this year, a researcher obtained a cache of documents from Xinjiang police, which described draconian surveillance and retraining practices in the region and shed light on Beijing’s attacks on the Uighur population.

Source link

Back to top button